Move away from passwords, deploy Windows Hello. Today!

Something we understood from the very beginning with Windows Hello for Business is our customers would approach Windows 10 in a series of phases. The first phase is to simply deploy the platform itself. From there, additional phases would follow to take advantage of optional Windows 10 technologies that require additional planning and enablement.

Since Windows 10 originally released we have continued to make significant investments to Windows Hello for Business, making it easier to deploy and easier to use, and we are seeing strong momentum with adoption and usage of Windows Hello. As we shared at Ignite 2017 conference, Windows Hello is being used by over 37 million users, and more than 200 commercial customers have started deployments of Windows Hello for Business. As many would expect, Microsoft currently runs the world’s largest production, with over 100,000 users; however, we are just one of many running at scale, the second largest having just reached 25,000 users.

With misused, default, or stolen credentials being the leading cause of data breaches (2017 Data Breach Investigations Report - Verizon) we believe Windows Hello for Business should be at the top of your priority list for what to configure next after your initial Windows 10 deployment. With it you can get your users to a multifactor authentication solution that works on any Windows 10 device – with no password to be lost, forgotten, or compromised. In the content that follows we will explain what improvements you’ll find in our latest Windows 10 releases, including the most recent version 1709, which we refer to as the Fall Creators Update.

Simplifying deployment

When it comes to deployment, the Creators Update (1703) from last spring, was the release that made Windows Hello for Business viable and deployable at scale within complex organizations like ours and many of our customers. Since then we’ve learned a great deal from early adopters and our own personal experiences with 100K plus users within Microsoft. Now with the Fall Creators Update (1709) we believe that Windows Hello for Business is in a position for mainstream deployments across organizations of all shapes, sizes, and levels of complexity. Here are some of the key improvements that are now available.

The first and most important improvement we made is improving the Admin Experience. For a successful rollout, we focused on making it easier to deploy and manage Windows Hello for Business in a variety of environment types. For some time now Windows 10 has supported Azure Active Directory and hybrid environments with Azure Active Directory Connect, enabling many of our customers to deploy Windows Hello in their environments through the cloud. With the Creators Update (1703) from last spring we added support for on-premises Active Directory-only environments enabling all organizations, particularly those in public sector, to use Windows Hello for Business.

In the just released Fall Creators Update (1709) we’ve made significant improvements to the provisioning and enrollment experience to ensure deterministic and instant enrollment. Organizations with existing public key infrastructure (PKI) and certificate deployments can deploy Windows Hello for Business leveraging their current certificate enrollment mechanisms. System Center Config Manager for certificate provisioning is no longer required for Windows Hello provisioning, and this functionality is now provided through Active Directory Federation Server (ADFS) Certificate Registration Authority. With these improvements, users who enroll in Windows Hello are provisioned instantly and can benefit from single sign-on experiences immediately after completing the enrollment process. We have published planning and deployment guides which provide detailed guidance for deploying Windows Hello for Business in your environment.

Improving user experience

While early adopters have focused much of their feedback on areas that would help us simplify deployment challenges we’ve also made significant investments to improve the user experience across a number of areas. We recognize that it’s critical for users to develop a strong preference for Windows Hello, so that they never feel compelled to go back to using passwords, and the way we’ll achieve that is by making sure Windows Hello offers a superior user experience. The improvements users can take advantage of are listed below.

PIN recovery

Windows Hello is a multi-factor authentication solution that can be used with a PIN that unlocks a key bound to the device -- something you have and something you know. If users forget the PIN, it’s important to provide a streamlined recovery experience. In the Creators update (1703), we added support for remote PIN reset on corporate owned phones. This enabled IT administrators of hybrid organizations to configure a PIN reset service that enables users to reset their PIN and recover access to the device without losing keys that were previously provisioned.

In the Fall Creators Update (1709), we have added support for self-service PIN reset from the lock screen which further improves the user experience. The user can now safely reset the PIN using Azure Multi-Factor Authentication(MFA) from the same device without having to reach out to the IT Helpdesk.

While we transition to a world without passwords, we realize that many organizations will still need to use passwords in certain circumstances (e.g.: legacy applications). Consequently users may still have passwords set to expire in accordance with IT policies. It’s easy to forget a password that you don’t use frequently; to improve the experience for such users, we introduced the option to use Hello PIN to change expired passwords.

Extending Windows Hello with new capabilities

Along with the deployment and user experience improvements we have also added new capabilities that will extend Windows Hello by providing additional security and usability benefits to users.

Dynamic lock

Introduced earlier this year in the Creators Update (1703), dynamic lock will automatically lock a device when the user is no longer within proximity. If you forget to lock your PC or tablet when you step away, Windows Hello can use a phone that's paired with your device to automatically lock it shortly after you're out of Bluetooth range. Dynamic lock can provide an additional layer of protection to help prevent unauthorized access to an unlocked, unattended device. This is a great improvement over the traditional inactivity/time based lock. Dynamic lock works with any paired phone. While still a relatively brand-new feature that users have to opt-in to, we see over 50,000 dynamic locks on daily basis keeping users safe.

Multi-factor device unlock

Until recently, you could only allow the user to unlock their device with either Face, Fingerprint or PIN. New with the Fall Creators Update (1709), Windows Hello now allows you to raise the bar by configuring Windows such that it requires users to provide a combination of additional factors and/or trusted signals to unlock their PC. For instance you can require users to use both Facial recognition and PIN to unlock their PC. In addition to the Hello gestures, we added support for trusted signals like network location and phone proximity.

Wouldn’t it be great if Windows allows you to authenticate with just Facial recognition because you are at work but when you transition to a less trustworthy location, like a coffee shop additional factors such as the proximity of your phone are added as an authentication requirement? With Fall Creators Update, this is now possible.

Windows Hello has also integrated with Intel Authenticate technology to provide additional security hardening by leveraging hardened Intel factors for network location and Bluetooth proximity, on devices that have hardware that supports Intel Authenticate technology.

Over time we’ve made many improvements to Windows Hello; with the Fall Creators Update we’ve reached a point where it’s ready for large-scale adoption for all of our customers, not just the ones with large IT organizations and big budgets. As you exit phase one of your Windows 10 plans and complete your deployments, we hope you that will put Windows Hello for Business at the top of your "What to do next?" list.